Bug 1728246
| Summary: | Allow systemd-user-runtime-dir to list /run content | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Cédric Jeanneret <cjeanner> |
| Component: | container-selinux | Assignee: | Jindrich Novy <jnovy> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | atomic-bugs <atomic-bugs> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.0 | CC: | dhcpme, dwalsh, lvrabec, mmalik, plautrba, ssekidde, zpytela |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | container-selinux-2.110.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-13 09:17:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in container-selinux-2.110.0 |
Description of problem: We can see this kind of AVC upon reboot, on a rhel-8 with podman containers: type=AVC msg=audit(1562587793.241:215): avc: denied { read } for pid=8208 comm="systemd-user-ru" name="libpod" dev="tmpfs" ino=73106 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1562587793.241:216): avc: denied { read } for pid=8208 comm="systemd-user-ru" name="overlay-containers" dev="tmpfs" ino=73105 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1562587793.241:217): avc: denied { read } for pid=8208 comm="systemd-user-ru" name="overlay-layers" dev="tmpfs" ino=73104 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:container_runtime_tmpfs_t:s0 tclass=dir permissive=0 Version-Release number of selected component (if applicable): selinux-policy-3.14.1-61.el8_0.1.noarch How reproducible: Always Steps to Reproduce: 1. deploy containers with bind-mounted /run 2. ensure they are persistent (systemd unit, whatever) 3. reboot Actual results: We can see these kind of AVC in the audit.log Expected results: We shouldn't see them - either allowed or not audited. Additional info: A bug was open against container-selinux, apparently it's more for the selinux-policy package: https://github.com/containers/container-selinux/issues/73 Thank you!